An ad fraud scheme dubbed Matryoshka is preferentially targeting U.S. swing states in a reportedly Russian-owned mobile app that has historically been linked with white supremacism content, according to an ad fraud vendor.

Matryoshka, of course, are nesting Russian dolls.

The theft is of both advertisers’ dollars and users’ private data, mostly in the United States. Data that the Matryoshka fraud scheme targets is location data including longitude and latitude, device identifier data, and IP address, which can connect you to a specific neighborhood or even exact location. And while key U.S. swing states such as Pennsylvania, Michigan, and Wisconsin account for less than 10% of the activity in the affected app, they make up 25% of the attacks.

The app in question is iFunny, which is owned by Russian developer Okrujnost according to Buzzfeed. It has over 10 million installs on Android, plus more on iPhone.

It has been a hotbed for white supremacist content in the past.

“This scheme has impacted at least two million iOS and Android users, with well in excess of $10 million siphoned from advertisers in 2020,” says Pixalate, the ad fraud vendor that says it discovered the scheme. “The significant discovery highlights how cross-border ad fraud schemes may utilize mobile apps to infringe on consumer privacy and threaten national security.”

The ad fraud part is fairly standard, if not in execution, then in goal.


  1. On iPhone, the scammers inject an ad with a payload of malicious computer code into an ad on the iFunny app.
  2. The code executes, gathering personal information on users and devices.
  3. The code saves that data to a server controlled by the fraudsters.
  4. The code also gets “dozens to hundreds” of video ad serving template tags (essentially, requests to run a video ad from an advertiser) from the fraudster-controlled remote server.
  5. The code then executes those ad requests “hundreds or even thousands of times,” essentially faking ad views.
  6. Advertisers are essentially told their ads ran on a legitimate app and were viewable by real people.
  7. The scammers collect millions of dollars for the fake ad views.
  8. On Android the process is slightly different.


What remains unknown is what the scammers do with the personal user information they acquire. Once it is in their possession on a remote server, they can do literally anything with it: sell it, share it, or use it.

A mobile device identifier like an IDFA on iPhone or a GAID on Android can be used to track people’s mobile activity via placing other ad requests for the mobile device identifiers collected. Additionally, they could use the identifiers to report devices and people as “viewers” of ads they have not seen, to collect both payments for showing ads and potentially payments for allegedly taking action (buying products, installing apps).

The scammers could also potentially share the device identifiers to governmental or quasi-governmental organizations for political interference purposes.

The theft of ad dollars is illegal, of course. To generate video views and collect advertisers’ cash, the ad fraud spoofs where it is running, claiming to be any of thousands of other apps such as the CBS Sports app, Hulu, the Merriam-Webster Dictionary, or the Angry Birds app from Rovio.

The theft of personal data, at least for U.S. citizens in California — one of the few states to have a comprehensive data privacy law — is also illegal. And, potentially, more concerning than the monetary theft, given the current election season.

“For California consumers affected by this scheme, the logging of personal information ‘for a purpose that the consumer would not reasonably expect,’ and without the consumers’ authorization, appears to violate California Consumer Privacy Regulations,’ says Pixalate.

The affected app, iFunny, is a meme site that appears mostly harmless.

However, below the surface, a Buzzfeed investigation found neo-Nazi and anti-Semitic content, as well as violent “shoot the feds” type of militia content, at least in 2019. The site says it tries to remove all inappropriate content, and I didn’t find any when searched recently, including for Hitler memes and a variety of similar content.

But that doesn’t mean it can’t be found.

Regular users come into contact with racist content regularly, according to app reviews posted recently.

“I have had this app since 2012 and it has been going downhill ever since,” says an app review on Google Play by Maniacman125 from October 29. “The worst part for me is that the app is turning into an unmoderated conservative racist community. Posts that promote racism and fascism get featured daily and even the ads promote felonies … yes, felonies. Overall, this app is not funny, it is now just a hateful community with a political agenda.”

Other reviews cite similar issues, with one saying “most features are political or racist,” and another saying “a majority of people in the comments are pretty racist.”

The website and app don’t reveal data on who owns the app, and its App Store listing simply shows that it is owned by iFunny Inc. The company has an address in Seychelles, but no other information. (Which brings up a question: shouldn’t the Apple App Store and Google Play know exactly who has created each app published on their platforms?)

The more immediate question, however, is why this ad fraud is only found in iFunny. One possibility, of course, is that the fraudsters are known to or the same people as the developers behind iFunny. That is only a possibility, however.

The most troubling question of all is whether data collected from this app has been used by anyone, including Russian organizations, in an attempt to influence the U.S. election. That cannot be answered at this point, and we may never be able to definitely settle it.

On the ad fraud front, however, I have enquired with iFunny, and will update this post when the company responds.

Article Provided By: Forbes

Liquid Video Technologies Logo, Security, Video Surveillance, GravityRAT Greenville South Carolina


If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.